Welcome! Log In Create A New Profile

Advanced

upstream SSL certificate does not match "dev_server" while SSL handshaking to upstream

March 13, 2020 03:12AM
Hi Team,
Am trying to establish encrypted communication between NGINX <-> API's
(POST, GET) with below configuration. But am facing some ssl handshake
issue.

*Config:*

upstream dev_server {
zone dev_server 64k;
server dev1.sysmac.com:443;
server dev2.sysmac.com:443;
server dev3.sysmac.com:443;
}

server {
ssl_certificate /etc/nginx/ssl/nginx-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 8.8.8.8 valid=300s;
resolver_timeout 5s;
ssl_session_timeout 5m;

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;
preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

# Policy section
#
location = /_dosomething {
internal;

proxy_pass https://$upstream$request_uri;

proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;

proxy_ssl_trusted_certificate /etc/ssl/certs/ca-bundle.trust.crt;

proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
proxy_ssl_server_name on;
}

}

*Error:*
upstream SSL certificate does not match "dev_server" while SSL handshaking
to upstream, client: <my_test_machine_ip>, server: <nginx_server_ip>,
request: "POST /dosomething HTTP/1.1", upstream:
"https://<dev1.sysmac.com_ip>:443/dosomething", host: "<nginx_ip>"

*Verified with openssl:*
openssl s_client -servername NAME -connect dev1.sysmac.com:443 -showcerts
-CApath /etc/ssl/certs/ca-bundle.trust.crt

CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = <bla-bla>, L = <bla-bla>, O = <bla-bla>, OU =
<bla-bla>, CN = dev5.sysmac.com
verify return:1
---
Certificate chain
0
s:/C=US/ST=<bla-bla>/L=<bla-bla>/O=<bla-bla>/OU=<bla-bla>/CN=g4t7453.houston.hpe.com
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
-----BEGIN CERTIFICATE-----
MIIHdzCCBl+gAwIBAgIQAblIEjggyGk4cIxk4xfU6TANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEw...............
-----END CERTIFICATE-----
1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVM......
-----END CERTIFICATE-----
2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCD.....
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=<bla-bla>/L=<bla-bla>/O=<bla-bla>/OU=servers/CN=dev5.sysmac.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4746 bytes and written 428 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: <bla-bla>
Session-ID-ctx:
Master-Key: <bla-bla>
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 83 b1 99 75 73 6e 7c 05-33 1b 02 70 67 68 1f b4
....usn|.3..pgh..
00a0 - 18 2b b0 1f 18 20 24 a4-ac ab e4 62 57 f6 1b 53 .+...
$....bW..S
00b0 - c3 d8 db 4b 15 cb 82 de-78 52 21 03 c6 25 24 06
....K....xR!..%$.

Start Time: 1584081168
Timeout : 300 (sec)
Verify return code: 0 (ok)
---

*Questions:*
1. All of my upstream servers has ssl certificate configured with same ssl
contains CN=dev5.sysmac.com which i can see from openssl. In such case is
this the reason am getting not found error from upstream block?

2. If not how to deal with such cases?

3. Also looking for debugging the same for ssl certificate does not match.
Do i need to especially specify ssl cert for each /dosomething block?

Please help!!!



--
Sent from: http://nginx.2469901.n2.nabble.com/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

upstream SSL certificate does not match "dev_server" while SSL handshaking to upstream

satscreate March 13, 2020 03:12AM

Re: upstream SSL certificate does not match "dev_server" while SSL handshaking to upstream

satscreate March 13, 2020 05:00AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 78
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready